Document toolboxDocument toolbox

Creating a Primary Zone

Owned by Sri Raghu
Last updated: Sept 06, 2024
6 min read

A primary zone stores the master copy of the zone data. Primary zones are organized within DNS views. For more information on DNS Zones, see Configuring DNS Zones

To create a primary zone, complete the following:

  1. From the Cloud Services Portal, click Configure > Networking > DNS Zones.
  2. Create a DNS view or click an existing DNS view. For more information about creating a DNS view, see Configuring DNS Views.
  3. On the Zones page, click Create and select Primary Zone from the drop-down list.
  4. On the Create Primary Zone page, specify the following:

    • Name: Enter the domain name for the zone. 

      • To create an IPv4 reverse-mapping zone, specify in-addr.arpa as the top-level reverse-mapping zone while specifying a name for the zone.

      • To create an IPv6 reverse-mapping zone, specify ip6.arpa as the top-level reverse-mapping zone while specifying a name for the zone.

    • Description: Enter additional details about the zone.
    • Disable for DNS Protocol: Select this check box to temporarily disable this zone. For information, see Enabling and Disabling Zones.
    • Notify External Secondary DNS Servers: Select this check box to notify external secondary DNS servers that a primary zone has been created. 
    • Tags: Click Add to associate keys with values. Specify the following details:
      • KEY: Enter a meaningful name for the key, such as a location or a department.  

      • VALUE: Enter a value for the key such as San Jose (for location), or Accounts (for department).  

  5. Select DNS AUTHORITATIVE SERVERS from the list. You can also define zones without assigning DNS servers to them. This is particularly helpful during pre-deployment provisioning and during troubleshooting activities. 
  6. Configure the Zone Settings Defaults. The Zone Settings Defaults are inherited from Global DNS Properties. For more information, see Configuring Global DNS Properties. Alternatively, toggle Inherit to Off and configure the values for each of the following:
    • Serial Number: Specify a serial number.

    • Refresh: Specify the value and choose Hours,  Minutes, or Seconds from the drop-down list.

    • Retry: Specify the value and choose Hours, Minutes, or Seconds from the drop-down list.
    • Expire: Specify the value and choose Days, Hours, Minutes, or Seconds from the drop-down list.
    • Default TTL: Specify the value and choose Hours, Minutes, or Seconds from the drop-down list.
    • Negative-caching TTL: Specify the value and choose Minutes or Seconds from the drop-down list.
    • EMAIL ADDRESS (FOR SOA RNAME field): Specify an email address for the SOA RNAME field.

    • Use default forwarders to resolve queries for delegated zones. Select the check box to use the default forwarders for delegated zones.

  7. Configure the Queries. The queries are inherited from Global DNS Properties. For more information, see Configuring Global DNS Properties. Alternatively, toggle Inherit to Off and configure the values in the ALLOW QUERIES FROM section. Click Add to add or Remove to remove the entries. Choose one of the following from the TYPE drop-down list:   
    • Any Address/Network: Choose this option to allow or deny queries from any IP addresses or networks. The application replies to queries from all clients. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.
    • IPv4 Address: Choose this option to add an IPv4 address. Click the VALUE field and enter the IP address of the client from which the query originates. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • IPv4 Network: Choose this option to add a network to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • Named ACL: Choose this option to add a named ACL that you want to use. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, the application automatically displays the named ACL. When you select this, the application replies to DNS queries from clients matching the ACL. You can click Clear to remove the selected named ACL.

    • TSIGSelect an existing TSIG Key. For more information, see Configuring TSIG KeysThe PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.
  8. Configure the Zone transfers. The queries are inherited from Global DNS Properties. For more information, see Configuring Global DNS Properties. Alternatively, toggle Inherit to Off and configure the values in the ACCEPT ZONE TRANSFER REQUESTS FROM section. Click Add to add or Remove to remove the entries. Choose one of the following from the TYPE drop-down list:
    • Any Address/NetworkChoose this option to allow or deny queries from any IP addresses or networks. The PERMISSION column displays Allow by default. In that case, the application replies to queries from all clients. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • IPv4 Address: Choose this option to add an IPv4 address. Click the VALUE field and enter the IP address of the remote server. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • IPv4 Network: Choose this option to add an IPv4 network address to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

    • Named ACL: Choose this option to add a named ACL. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, it is displayed automatically. When you choose this, the application allows servers that have the Allow permission to send and receive DNS zone transfer data. You can click Clear to remove the chosen named ACL.

    • TSIG: Select an existing TSIG Key. For more information, see Configuring TSIG Keys. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.
  9. Configure dynamic updates. The dynamic updates are inherited from Global DNS Properties. For more information, see Configuring Global DNS Properties
    • Allow GSS-TSIG-signed updates: Toggle Inherit to Off, and select the check box to allow GSS-TSIG-signed updates. GSS-TSIG (Generic Security Service Algorithm for Secret Key Transaction) is used to authenticate DDNS updates. For more information, see Configuring GSS-TSIG.
    • ALLOW DYNAMIC UPDATES: Toggle Inherit to Off and configure the values in the ALLOW DYNAMIC UPDATES section. Click Add to add or Remove to remove the entries. Choose one of the following from the TYPE drop-down list:
      • Any Address/Network: Choose this option to allow or deny the application to send zone transfers to any IP address or networkThe PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

      • IPv4 Address: Choose this option to add an IPv4 address. Click the VALUE field and enter the IP address of the remote server. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

      • IPv4 Network: Choose this option to add an IPv4 network address to the list. Click the VALUE field and enter an IPv4 network address and type a netmask. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.

      • Named ACL: Choose this option to add a named ACL. Click the VALUE field and the list of named ACLs are displayed. If you have only one named ACL, it is displayed automatically. When you select this, the application allows servers permission to send and receive DNS zone transfer data. You can click Clear to remove the chosen named ACL.

      • TSIG: Select an existing TSIG Key. For more information, see Configuring TSIG Keys. The PERMISSION column displays Allow by default. You can change it to Deny by clicking the field and choosing Deny from the drop-down list.
  10. An rdatatype (short for resource record type) refers to the specific type of resource record (RR) in the DNS. Each resource record in DNS has an associated type that indicates the kind of data it holds for example type A, the IPv4 address of a NIOS-X Server, or type MX , how to route mail. An rdataset refers to a set of resource records (RRs) of the same type for a specific domain name in the Domain Name System (DNS). An rdatatype (short for resource record type) refers to the specific type of resource record (RR) in the DNS. Each resource record in DNS has an associated type that indicates the kind of data it holds for example type A, the IPv4 address of a NIOS-X Server, or type MX , how to route mail. An rdataset refers to a set of resource records (RRs) of the same type for a specific domain name in the Domain Name System (DNS). Excessively large rdatasets or large numbers of rrtypes can slow down query processing, therefore limits can be set on a per-zone basis. The value, “0”, removes any upper limit. However, this may result in reduced performance. Configure the following settings:
    • Max Records per Type: Specify a numeric value for maximum records per type. The default value is 2000.
    • Max Types per Name: Specify a numeric value for maximum types per name. The default value is 100.

  11. Click Save & Close to save.

    After a primary zone is created, you can add resource records to it. For more information, see Configuring Resource Records.

Note

An authoritative reverse-mapping zone is an area of network space for which one or more name servers—primary and secondary—have the responsibility to respond to address-to-name queries. Infoblox supports reverse-mapping zones for IPv4 addresses. You can add in-addr.arpa as the top-level reverse-mapping zone. Note that you cannot add these zones using their IP addresses or netmasks, however, you can add them by name in-addr.arpa respectively.

RFC 2317, Classless IN-ADDR.ARPA delegation is an IETF (Internet Engineering Task Force) document that describes a method of delegating parts of the DNS IPv4 reverse-mapping tree that corresponds to subnets smaller than a /24 (from a /25 to a /31). The DNS IPv4 reverse-mapping tree has nodes broken at octet boundaries of IP addresses, which correspond to the old classful network masks. So, IPv4 reverse-mapping zones usually fall on /8, /16, or /24 boundaries.

To create a primary authoritative reverse mapping zone, add in-addr.arpa as the top-level reverse mapping zone and specify the domain in the Name field.

Warning

The subdomains starting with ns.b1ddi and b1ddi are reserved and cannot be used as a prefix for the names of zones and resource records.

Note

When creating or modifying a zone managed by NIOS, if you Inherit or Override one of the fields Refresh, Retry, Expire, DefaultTTL, and Negative-caching TTL, the other fields will automatically follow the same settings. You cannot Inherit or Override a single field selectively.